Keycloak
If you already have a Keycloak instance running, consider using that and proceed with installing MongoDB. See also Pre-Installation Tasks on which configuration values of your Keycloak installation you need to gather for the installation of IBM Financial Services Workbench.
Official Documentation
Keycloak - Documentation (9.0.3)
Install Keycloak Operator from the OperatorHub
As a cluster administrator, install the Keycloak operator from the OperatorHub to the namespace foundation :
In the OpenShift web console navigate to the Operators → OperatorHub page
Filter by keyword: Keycloak
Select the operator: Keycloak (Community) provided by Red Hat
Read the information about the operator and click Install
On the Create Operator Subscription page:
Select option A specific namespace on the cluster with namespace
foundationSelect an Update Channel (if more than one is available)
Select Automatic approval strategy
Click Subscribe
After the Subscription's upgrade status is Up to date, navigate in the web console to the Operators → Installed Operators page
Select the Keycloak Operator and verify that the content for the Overview tab of the Operators → Operator Details page is displayed
Create the Keycloak Instance
Create the Keycloak CRD instance in the namespace foundation:
Navigate in the web console to the Operators → Installed Operators page
Select the Keycloak Operator
Navigate to the Keycloak tab of the Operators → Operator Details page
Click Create Keycloak
In the Keycloak Operator → Create Keycloak page
Enter the resource definition (See Example Keycloak Configuration)
Click on Create
Verify that in the Keycloak tab the newly created foundation-keycloak CRD instance is displayed
Example Keycloak Configuration
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
name: foundation-keycloak
labels:
app: sso
namespace: foundation
spec:
instances: 1
extensions:
- >-
https://github.com/aerogear/keycloak-metrics-spi/releases/download/1.0.4/keycloak-metrics-spi-1.0.4.jar
externalAccess:
enabled: falseexternalAccess.enabled must be set to false and the public route itself must be created. If the property is set to true for the Keycloak configuration, the operator creates a route that can result in all requests on .apps.{CLUSTER_DOMAIN} being routed to the Keycloak service.Create Public Route for Keycloak
Create a public route keycloak-external as follows, with {CLUSTER_DOMAIN} set to your cluster domain:
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: keycloak-external
namespace: foundation
labels:
app: keycloak
spec:
host: keycloak-foundation.{CLUSTER_DOMAIN}
to:
kind: Service
name: keycloak
weight: 100
port:
targetPort: keycloak
tls:
termination: reencrypt
insecureEdgeTerminationPolicy: None
wildcardPolicy: NoneRetrieve Credentials
You can retrieve the credentials for connecting to the Keycloak by looking for a Kubernetes secret named credential-foundation-keycloak :
oc -n foundation get secret credential-foundation-keycloak -o jsonpath='{.data.ADMIN_USERNAME}' | base64 -d; echo
oc -n foundation get secret credential-foundation-keycloak -o jsonpath='{.data.ADMIN_PASSWORD}' | base64 -d; echoRetrieve Certificates
The certificates are needed later during installation (truststore.trustmap.identity), so please download and save them temporarily.
KEYCLOAK_HOST=`oc -n foundation get route keycloak-external -ojsonpath={.spec.host}`
echo | openssl s_client -showcerts -connect $KEYCLOAK_HOST:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > keycloak-fullchain.pemVerify the Keycloak Installation
When the Keycloak installation is complete, make sure that you can access Keycloak with the retrieved credentials and the URL specified by the route.host parameter in the values.yaml file of the route you just created in section Create public route for Keycloak.
oc -n foundation get route keycloak-external